The CyberWire Daily Podcast 2.19.16
Ep 39 | 2.19.16

DDoS by pingback. Twitter flaw patched. Security system flaws. Apple vs. FBI, continued.


Dave Bittner: [00:00:03:18] Twitter closes a password recovery bug and warns that it will cancel your account if you try to exploit it. Google's Project Zero finds a VCN enabled by default in a family of anti-virus products. Sucuri warns about the DDoS dangers you'll present your online neighbors if you enable ping back on your WordPress site. Network home security products may be behaving badly. The dispute between Apple and the FBI strikes observers as moving into unchartered legal waters. And hey, Air-force, life might be short but seriously, don't have an affair.

Dave Bittner: [00:00:36:16] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute. Providing the technical foundation and knowledge needed to meet our nation's growing demand for highly, skilled professionals in the field of information security, assurance and privacy. Learn more online at I-S-I dot J-H-U dot E-D-U.

Dave Bittner: [00:00:59:15] I'm Dave Bittner in Baltimore with your CyberWire summary for Friday February 19th 2016.

Dave Bittner: [00:01:07:11] Twitter is notifying some 10,000 affected subscribers that a password recovery bug may have exposed their personal information. The problem occurred over a 24 hour period last week. Twitter says it immediately fixed the vulnerability and starchily warns that it intends to permanently suspend any accounts it determines tried to exploit the flaw to steal information.

Dave Bittner: [00:01:26:19] In other patch news, FireEye fixes a white listing issue in it's NX, FX, EX and AX products. And Google issues an update for Chrome.

Dave Bittner: [00:01:36:10] Google's Project Zero announces more unfortunate news for Comodo. Comodo antivirus, Comodo firewall or Comodo Internet security are accompanied by Geek Buddy, a technical support program that installs a VCN server by default. The server comes with admin level privileges and an easily guessed default password.

Dave Bittner: [00:01:54:15] Sucuri warns that the ping back feature in older WordPress sites is being used to execute Layer 7 DDoS attacks against servers. Layer 7 attacks exhaust server resources at the application layer as opposed to the network layer, which means they don't require as much bandwidth or request traffic to claw their targets.

Dave Bittner: [00:02:11:10] Newer versions of WordPress record the IP addresses from which pingback requests originate which makes it easier for defenders to identify the malicious, commanded controlled servers and then shut them out. Thus Layer 7 attacks are becoming less common. But there's an easy way to stop your site from being implicated in this kind of DDoS campaign, disable pingbacks.

Dave Bittner: [00:02:32:09] That other fashionable form of cyber crime, Ransomware, might get a boost from Hollywood Presbyterian's recent decision to pay hackers $17,000. Or so various, security pundits tell Newsweek. It's difficult to fault the hospital though as Malwarebytes points out, after all, they do have to take care of their patients.

Dave Bittner: [00:02:49:15] If you notice a “.locky” file extension on your system, you have been tagged by the Dridex-distributed Locky ransomware, warn the Palo Alto researchers who've been tracking it. And in case you're wondering, it's “Locky,” not “Loki” as some scholars of the Poetic Edda, or at least Marvel's Avengers comic books, have speculated. Heimdal Security can set you straight on this and all other matters as guardian. Heimdal also warns that Locky has been aggressively targeting German speaking users.

Dave Bittner: [00:03:17:15] Here's why people fear the Internet-of-things, says Brian Krebs, as he reports on peer-to-peer networking embedded in Foscam IP security cameras. The cameras chatter a lot to various remote servers and the peer-to-peer networking functionality is, according to Krebs, difficult to disable, requiring persistence and technical savvy beyond what most ordinary users are likely to have.

Dave Bittner: [00:03:39:02] In the US industry remains, on balance, quite unhappy with the Wassenaar cyber arms control accord. The administration has suspended implementation and reopened study and comment. But a variety of technical and industry groups are pressing the Secretary of State to renegotiate the agreement as a whole.

Dave Bittner: [00:03:55:21] The big news today in cyber has both policy and legal implications. We refer of course to Apple's ongoing dispute with the Department of Justice over rendering the FBI assistance in gaining access to the San Bernardino Jihadist's iPhone. The case is complex and controversial. The Justice Department isn't asking Apple to unlock the phone. Rather, it's asking them to give the FBI a special software tool that would enable the FBI to bypass security protections and brute force that particular device's password. This sounds too close to a back door for comfort to many in the tech industry. On the other hand, say others in the industry, the request does seem both limited in scope and within Apple's technical ability to comply. And the request isn't a search warrant. It's a request brought under an old law, the All Writs Act of 1789, the current form of which was passed in 1911. What precedents the decision might set is, according to legal observers, unchartered territory. In any case, Apple's stance is about a year in the making. The company began pushing back what it characterized as conscription into law enforcement, last year.

Dave Bittner: [00:04:59:13] And finally, Ashley Madison reappears in the news. Apparently the adultery site is unusually popular among members of the US Air Force, or so reports the Air Force Times. So here is a public service to all Air Force service members, we offer these words: Article 134, Uniform Code of Military Justice. Come on gang, straighten up, fly right.

Dave Bittner: [00:05:24:01] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community, through technology education. Learn more at

Dave Bittner: [00:05:42:10] It's a longstanding trend that enterprises are migrating more of their data and services to cloud providers. Law firms are no exception. Bloomberg BNA notes that more than 20 US states legal ethics organizations have issued guidelines on what counts as reasonable care in adoption of cloud services. We caught up with one of our partners at the University of Maryland Center for Help and Homeland Security and asked Marcus Rauscheckerto walk us through some of the cloud's implications for any enterprise user.

Marcus Raushchecker: [00:06:08:20] Seems like everyone wants to go into the cloud these days, and there's some good reasons for that - economic reasons, productivity reasons. There are some important questions that any business should ask, before they enter into an agreement with a third-party cloud provider that's going to be storing their data. Firstly, who is going to own the data once it's up in the cloud? Does the company who generated the data, collected the data, still have full ownership or does the cloud service provider have some degree of ownership? How safe and secure is the data once it's up in the cloud? A company that chooses to store data in a cloud, especially with data with a third-party service provider, there's a loss of control over the data once you're uploading it to the cloud. There are important questions to be asked, when it comes to safety and security measures.

Marcus Raushchecker: [00:07:07:03] The company needs to ask who has access to the data once it's stored in the cloud. Both from a technical side and a personnel side. What employees of a third-party provider have access to the data? Who can view the data? How can they get to it? Can they get to it? What happens when I want to move the data somewhere else? Can I easily take my data from the third-party provider? Can I end my contract easily? Can I take the data with me as I see fit? Finally, who's liable for a service interruption? If the company or my customers can't access the data and there are monetary losses because of that, who's going to be responsible for reimbursement? How is all that going to be dealt with from a liability aspect? These are questions to ask before entering into any agreement with a third party cloud service provider. We end up seeing that a lot of these issues are going to be settled by contract. It's important when you enter into an agreement that the contract you have with the cloud provider is reviewed in detail, line by line.

Dave Bittner: [00:08:28:13] Is it also a matter of not putting all your eggs in one basket, or are people coming up with hybrid solutions, or both cloud and local redundancy?

Marcus Raushchecker: [00:08:37:13] Absolutely. When we talk about storing data online or on a server somewhere, we'll always worried about storing all of our data in one place and that's not a good idea. You always want to replicate data in various locations and through various media. It's a good practice to have a back-up locally as well as in the cloud or through another cloud provider in a different location. There are then multiple ways of getting to your data.

Dave Bittner: [00:09:10:24] Martin Raushchecker, thanks for joining us.

Marcus Raushchecker: [00:09:14:13] And that's the CyberWire. For links to all of today's stories, interviews, our glossary, and more, visiting the The CyberWire podcast is produced by CyberPoint International and our editor is John Petrik. I'm Dave Bittner, thanks for listening.